4 Responses to What’s in an AuthorizationServer Access Token?

You say “digitally signed” and it makes sense. I’m using a X.509 cert, which just works fine: validation is done by a combination of Thinktecture.IdentityModel.Tokens.IdentityModelJwtSecurityTokenHandler and System.IdentityModel.Tokens.JwtSecurityHandler.
However, I don’t really understand where & how the magic happens. There is no documentation on either side, could you elaborate where the signature is hidden? How do we prevent that anyone fakes a token with some other valid certificate?

I’ve obtained my access token. Now I want to expose it to my java-script so I can call my WebAPIs . What is a ‘good’ way to expose the token so it can be used by the client java-script? I’ve been sending it down in a block in the page. It works, but feels like a bad idea.